What powers does the information commissioner have to impose penalties on organisations that breach the data protection act?
The Information Commissioner’s Office (ICO) has extensive powers to impose penalties on organisations that breach the DPA. For example, it can: • Conduct assessments to check organisations are complying with the DPA. • Serve information notices requiring organisations to provide the Information Commissioner’s Office with specified information within a certain time period. • Serve enforcement notices and ‘stop now’ orders where there has been a breach of the Act, requiring organisations to take (or refrain from taking) specified steps to ensure they comply with the law. • Prosecute those who commit criminal offences under the DPA. • Conduct audits to assess whether an organisation’s processing of personal data follows good practice. A data controller who persistently breaches the Act and has been served with an enforcement notice can be prosecuted for failing to comply with a notice. This offence carries a maximum penalty of a £5,000 fine in the magistrates’ court, and an unlimited fine
